1 / 20

Configuring and Managing RNI Security: System Access Control RNI Release 3.1 SP2

Configuring and Managing RNI Security: System Access Control RNI Release 3.1 SP2. C-PAMRAMI-WGE-0139-01. Introduce actions that Sensus has taken to prevent visibility and access to system resources. The goal of this module is to:.

kirk
Télécharger la présentation

Configuring and Managing RNI Security: System Access Control RNI Release 3.1 SP2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configuring and Managing RNI Security: System Access Control RNI Release 3.1 SP2 C-PAMRAMI-WGE-0139-01

  2. Introduce actions that Sensus has taken to prevent visibility and access to system resources. The goal of this module is to:

  3. Recall actions taken by Sensus to secure RNI servers prior to shipment to utility. • Describe why obtaining a commercial Secure Socket Layer (SSL) certificate is important. Module Objectives

  4. Controlling System Access System Access Control

  5. Understanding RNI System Hardening System Access Control Intended to eliminate as many security risks (such as unauthenticated and unauthorized access to the system) as possible For 3.x, Sensus performs system hardening on the following RNI components: • Network Controller • Web server • Database server • Stats server • Red Hat Enterprise Linux • Apache Web server • Apache Tomcat • OpenLDAP server

  6. Linux-Based Hardening Actions System Access Control Applies to Network Controller and Web servers Performed during installation by Sensus Actions performed: • Add default root user • Change root password to complex password • Register server with Red Hat Network • Disable user mounted file systems • Disable USB devices • Change directory and file permissions on sensitive system resources and critical files • Remove unused user accounts

  7. Linux-Based Hardening Actions (Continued) System Access Control • Lock down existing user accounts • Set password policy for local users • Lock down crontab files • Set requirements for PAM (Pluggable Authentication Modules) support • Customize login in banner (optional) • Set permissions for network configurations • Secure files associated with auditing and logging • Configure remote delivery of syslog messages to central location • Configure SSH access only for strong, authenticated sessions • Configure SNMP as needed • Configure audit services to track critical actions on system

  8. Database Server Hardening Actions System Access Control Performed during installation by Sensus Actions performed: • Change default passwords to complex passwords for local user accounts • Set password policy • Set account lockout policy • Set audit policy • Set security options • Change default passwords on SQL server

  9. Stats Server Hardening Actions System Access Control Performed during installation by Sensus Actions performed: • Change default passwords to complex passwords for local user accounts • Set password policy • Set account lockout policy • Set audit policy • Set security options • Enable SSL on default Web server

  10. Apache Web Server Hardening Actions System Access Control Performed after Linux hardening Performed during installation by Sensus Actions performed: • Remove track and trace HTTP methods • Remove insecure encryption ciphers

  11. Apache Tomcat Server Hardening Actions System Access Control Performed after Apache Web server hardening Performed during installation by Sensus Actions performed: • Remove default tomcat5 files • Remove default tomcat6 files • Replace shutdown password on tomcat5 install • Replace shutdown password on tomcat6 install • Update default session timeout as needed

  12. OpenLDAP Server Hardening Actions System Access Control Performed during installation by Sensus Actions performed: • Remove insecure encryption ciphers • Disable anonymous bind • Create Read-Only and Read/Write accounts for application access • Hash all passwords • Restrict access to password hashes

  13. What is the purpose of the system hardening procedures performed by Sensus? • Limit system access to administrators • Prevent password changes on the system • Reduce risk of unauthorized access to system • Hide selected servers from users

  14. Which of the following actions is common to server hardening procedures for the various RNI components? • Customize log in banner • Change default passwords • Register server with Red Hat • Remove track and trace HTTP methods

  15. Controlling System Access System Access Control

  16. SSL and SSL Certificates Defined System Access Control Secure Sockets Layer (SSL) is a standard security protocol used to establish an encrypted link between a server and a client • Typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook) Browser and server need an SSL Certificate to establish the secure connection SSL Certificates identify a key pair and the identity of the certificate/website owner RNI uses SSL and SSL certificates to secure communications between the hardware servers and its software application users

  17. Impact of Using SSL Certificates System Access Control Users must be authenticated, use a unique password, to log in Users must enter the server addresses with https:// instead of http:// Enabled by default on Web server and Statistics server (if present)

  18. Which of the following are true about SSL-enabled Sensus servers? • Users must be authenticated, use a unique password, to log in • Provides secure communications between RNI servers and software application users • Users must enter the server addresses with https:// in front • All of the above

More Related